A security researcher has successfully exploited a Safari vulnerability to take control of the Touch Bar on a MacBook Pro. Samuel Groß demonstrated the exploit at the first day of this year’s Pwn2Own ethical hacking conference …
The final attempt on Day One saw Samuel Groß (5aelo) of phoenhex targeting Apple Safari with a macOS kernel EoP. Last year, his exploit involved a touchbar component, and this year proved to be no different.
He used a combination of a JIT optimization bug in the browser, a macOS logic bug to escape the sandbox, and finally a kernel overwrite to execute code with a kernel extension to successfully exploit Apple Safari. This chain earned him $65,000 and 6 points towards Master of Pwn. Similar to last year, he left a message for us on the touchbar once he was complete.
TippingPoint, the organization behind the conference, pays bounties for exploits so that its security software can protect against them ahead of vendor patches.
Apple has a good track record of timely responses to major security vulnerabilities, and for patching minor ones in regular updates, so we’d expect to see this one patched in an upcoming macOS update.
Separately, Check Point Research has discovered a serious bug in the Mac version of the Google Chrome Remote Desktop Application. This allows someone to gain access to an admin or other user account without requiring the password.
What is expected to happen is that the local user that connects remotely to a macOS machine will receive the desktop of a ‘Guest’. But while this is what appears in the remote machine, the local machine (the Chrome extension) receives the desktop of the other active user session, which in this case is an admin on the system, without ever entering the password:
CPR said that it reported the bug to Google a month ago, but the search giant said that it had no plans to fix it as ‘the login screen is not a security boundary.’